Title
#general
Xuanwo

Xuanwo

11/10/2022, 4:16 AM
@Yp Xie By starting databend-query with environment RUST_LOG=debug, we can read the debug message on load s3 credential. Please feel free to ping me if anything goes wrongly~
y

Yp Xie

11/10/2022, 4:26 AM
cool, I’ll try that, thanks!
7:27 AM
Hi @Xuanwo just tried commenting
access_key_id
and
secret_access_key
fields, and as far as I know, if we use AWS SDKs to access S3 buckets from an EC2 instance, we should either use explicit credentials like
access_key_id
and
secret_access_key
or we can use STS to assume role and get a security token from AWS. And I found from source code that we can add a
role_arn
in the config file, so I added the role_arn of the EC2 instance to the config file, but it still responds with
403
. In the debug log I found the reason is it will always try to communicate with global
sts
endpoint
<https://sts.amazonaws.com/>
instead of regional endpoint like
<https://sts.us-west-2.amazonaws.com>
, and we have a very strict access policy about which endpoint url to use in our company, so the connection will always fail. I tried to
export AWS_STS_REGIONAL_ENDPOINTS=<https://sts.us-west-2.amazonaws.com>
to solve it but it doesn’t work as expected so I’d like to know if there’s any workaround to set this regional sts endpoint. 🤪 thanks!
7:44 AM
OK, I found the endpoint is not possible to dynamically setup, it’s hard-coded in the source code file…